In many computer and network systems, multiple layers of security apparatus and software are deployed in order to detect and repel the ever-growing range of security threats. At the most basic level, computers use anti-virus software to prevent malicious software from running on the computer. At the network level, intrusion detection and prevention systems analyze and control network traffic to prevent malware from spreading through the network.
In this latter category, for example, PCT International Publication WO 2013/014672, whose disclosure is incorporated herein by reference, describes a method and system for detecting anomalous action within a computer network. The method starts with collecting raw data from at least one probe sensor that is associated with at least one router, switch or server in the computer network. The raw data is parsed and analyzed to create meta-data from the raw data, and computer network actions are identified based on knowledge of network protocols. The meta-data is associated with entities by analyzing and correlating between the identified network actions. A statistical model of the computer network is created, for detection of anomalous network actions associated with the entities.